CVE-2026-54684

HIGH

jadx: XAPK archive entries with absolute paths can plant drop-in plugins and achieve code execution on the next jadx run

CVSS v3

7

HIGH

EPSS Score

exploit probability

CISA KEV

No

known exploited

Exploitation

SSVC status

Description

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JA

Technical Details

CVSS v3 Vector
3.1
Published
7/14/2026
Last Modified
7/15/2026

Frequently Asked Questions

What is CVE-2026-54684?

jadx is a Dex to Java decompiler. From 1.5.2 to 1.5.5, a malicious .xapk file can cause jadx to write attacker-controlled archive entry contents outside the intended XAPK plugin temporary unpack directory because XApkLoader resolves each entry name directly with tmpDir.resolve(fileName) after a CWD-based ZIP security check. When jadx is launched from a directory that is an ancestor of the config directory, the arbitrary write can plant a JAR in plugins/dropins, and the next jadx run loads the JA

Is CVE-2026-54684 actively exploited?

Active exploitation of CVE-2026-54684 has not been confirmed. The EPSS score is N/A%, indicating the estimated probability of exploitation in the next 30 days.

What is the CVSS score for CVE-2026-54684?

CVE-2026-54684 has a CVSS v3 base score of 7 (HIGH severity), with vector string 3.1.

Is CVE-2026-54684 affecting your environment?

Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.